Hi, Gregory Maxwell wrote (22 Aug 2010 00:55:49 GMT) : > I think it's obvious that the best way of using tor is running your > torrified apps in a VM which can only access the outside world via > TOR.
I doubt there is something like "the" best way of using Tor. One always needs to balance the risks vs. the efforts needed to get some protection against it. More practically speaking: there are use cases the Tor Browser Button is perfect for, but it cannot prevent every leakage of anonymity to local disks. Then come Tor-ified VM setups that protect users a bit more but still somehow rely on the host operating system. Then comes running a Tor-ified Live system such as T(A)ILS [1] on bare metal. Each situation has its best fit solution but I don't think one solution can be told to be best in any cases. [1] https://amnesia.boum.rog/ > This provides the highest protection from network leaks and > also partially thwarts fingerprinting. But I can only assume that > the 'cost' (performance, complexity, etc) of using a VM for tor is > too high for many people— otherwise we would insist that anyone who > wants anonymity operate that way. About performance: a five years old laptop with 1.7 GHz processor and 1GB RAM is able to run a fully-fledged Tor-ified desktop system such as T(A)ILS in VirtualBox. It was also true with qemu+kqemu last time I checked. About complexity: running a guest OS in a VM is really easy with VirtualBox (and presumably with its proprietary counterparts). But maybe I am missing the point. What kind of complexity are you talking of? Another "cost" mentioned by coderman was "elevated privs for accelerated virtualization / para-virtualization". AFAIK VirtualBox does not need any special privileges (once the kernel part of the software is installed, and the modules/services loaded). Please don't misunderstand me. I'm not a fan of VM-based solutions and pretty much prefer the bare-metal + Live OS approach, but I feel we need to consider their pros and cons in a more detailed way than discarding them on the assumption that their cost must be too high else we would push for their usage much more than we do. > Has anyone looked into using the SELINUX sandbox > (http://danwalsh.livejournal.com/28545.html) to prevent leaks? The > sandbox provides a high degree of application isolation. It looks > like it would be pretty much trivial to add an option to the sandbox > front end program to only allow accesses to the tor socks port from > the isolated app. I'm sure there are use-cases such a sandbox would fit very well, and am in favour of developing new ways of using Tor when practical use-cases make it necessary. If it fits a bunch of (potential) users' needs, I do encourage you to push this idea forward. On the other hand: if we want to consider ease of use "for many people" as an important criterion, which we do, which one seems easier amongst the two following solutions? 1. Download T(A)ILS and burn it on a CD, then boot it when needed (possibly in a VM if you can afford it wrt. performance and security). 2. Replace your current OS with another one that supports SE Linux well enough to support the SE Linux enhanced sandbox described solution (examples needed), install the sandbox front-end program that does not exist yet, and setup the needed sandboxes for the apps that need to be Tor-ified and somehow isolated. Then you only need to never, ever confuse your nice sandboxed web browser with your other non-sandboxed one. As a T(A)ILS developer I am of course biased but #1 seems pretty much easier to me. Bye, -- intrigeri <intrig...@boum.org> | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc | The impossible just takes a bit longer. *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/